We are excited to announce that we have launched our new Hive Community! HiveNation will remain as an archive, but all new posts, discussions, and articles will be created on Hive Community. You can visit our new community at thehivecommunity.aerohive.com

Firewall rules need improvement

The firewall rules are adequate, but they really could be a lot better.

1. You need permission groups. If you have several SSIDs that have the same firewall rules, you need to recreate the rules.2. The groups should include named rules. Each rule should include all of the options of a Custom Application (host name, IP address, port number) and IP Firewall Policies objects (IP Address, IP Range, Host Name, Network, Wild Card).3. Objects, rules, etc. need the ability to be renamed. Since it's not in a group, if something changes and you need to update a host, you end up using generic names (DNS1, DNS2), having the name and the actual object mismatched (www.example.com object with www.example.net destination), or having to manually touch every IP firewall rule.

I've worked around this a bit by defining rules as Custom Applications, even if they aren't really an application. For example, I created "Web Servers" and added all of the web servers an SSID can access. However, that doesn't always work. I wanted to create a rule that was to 10.X.1.8 with a wildcard of 0.255.0.0 to port 9999. There's no way to define this in a single rule, so I had to create a Port application rule and a wildcard firewall rule, but now any changes have to be done for every IP rule.

It would also be nice if these same rules could be applied to the switch. You can't use Application rules in a switch, so there aren't enough rules available to implement our filter requirements.